Welcome to Volume 2, Issue 14 of The Internet Security Conference Newsletter, Insight. Insight provides commentaries and educational columns, authored by some of the best minds in the security community. Many of our columnists teach and speak at The Internet Security Conference.
The editorial calendar at this time includes:
Previous issues are posted here.
TISC is about sharing clue. So is the newsletter. We promise to provide something useful each issue. If we don't, flame me.
Enjoy, and be safe,
Dave
In this issue, Lisa Phifer considers security outsourcing; specifically, outsourcing to one of the burgeoning numbers of Managed Security Providers. What questions should you ask to determine if this is the right move for your organization? In her column, Lisa will offer hints on how to assess security expertise, services offered, and some ways to separate a good MSP from one you should steer away from.
Happy reading!
Economic and resourcing factors are fostering rampant growth in outsourced network and application service markets. At the same time, burgeoning business use of the Internet has greatly increased both enterprise security risk and awareness. These industry trends have combined to create an explosive managed security services market. According to IDC, the worldwide market for security services, growing 34% annually, will exceed $2B by 2003.
This bumper crop of emerging managed security providers (MSPs) offer a bevy of services, ranging from managed firewalls to virtual private networks to secure Internet applications. Selecting a managed security provider to protect your enterprise's assets can be a daunting task. Many of these services sound (at least superficially) similar: a provider-managed solution, installed at the edge of your network, with 24x7x365 monitoring by security experts. To understand what each MSP has to offer, you'll need to dig deeper.
Why do companies outsource security in the first place? Forrester Research put it this way: "Because you don't give receptionists AK47s." Enterprises expect MSPs to provide top-notch security expertise with depth that just isn't available -- or affordable -- in-house. Ask for a client list and check references: does the MSP have a successful history of dealing with companies like your own? Ask about NOC staff qualifications: does the MSP hire employees who are certified to manage the solutions they sell? Do they conduct background checks? Ask about broad, diverse skill sets: can the MSP train your IT staff, can it help you develop your incident preparedness plan, can it provide forensic investigation? Don't blindly assume that anyone who can spell "managed firewall" is a security expert.
Before outsourcing security, identify the resources you need to protect and who should be granted access to them. Once you've taken this step, ask prospective MSPs to help you design a security policy and develop a deployment plan. Many MSPs will conduct a vulnerability assessment to help you locate unprotected resources and spotlight security risks.
Your chosen MSP will design, install, and configure hardware and/or software solutions that implement your security plan. During deployment, your MSP may also help you harden your servers and bring your staff up to speed on incident preparedness. Ask the MSP to conduct tests to prove the installed solution is really enforcing your security policy. Don't forget to test "inside-out", tightening policies to reduce your exposure should an inside host be compromised. Good MSPs will repeat vulnerability assessment and review your security policy on a regular basis. Designing an effective security policy is not a "once and done" deal; it requires on-going partnership between you and your MSP.
Last fall, Dave Piscitello and I surveyed the MSP landscape in an article published by ISP-Planet (http://www.isp-planet.com/technology/managed_security.html). We found that most managed security services today fall into two categories: managed firewalls and managed VPNs.
Managed firewall services enforce perimeter security for your enterprise network, often via centrally-managed CPE firewalls (e.g., CheckPoint, WatchGuard). Managed VPN services create tunnels between enterprise sites and/or provide secure remote access, using a combination of CPE hardware and software. Most MSPs provide these as discretely-packaged services. Some base several services on a common platform; others use several platforms. Ask your MSP why it chose the platform(s) that it uses, and be wary of proprietary protocols or unusual gear.
Many MSPs sell added-value security services like intrusion detection, URL or active content filtering, email or web anti-virus scanning. These are typically sold "a la carte", as software bolted onto your CPE firewall. Occasionally, such services can be found on their own (e.g., AT&T's Managed Intrusion Detection Service). Added-value services may be convenient, but usually won't top your list of reasons for choosing an MSP. On the other hand, if what you really need is secure email or web hosting, skip the managed VPN and look for an MSP/ASP that provides secure application services, located in a secure data center. In this column, I focus on managed firewall/VPN providers, but they aren't the only game in town.
Look for an MSP who offers what you need today, but ask about migration for services you expect to need in the future. If you buy a managed firewall service today, will you need an additional or different platform to add secure remote access? Does the MSP offer integrated provisioning, monitoring, and billing that encompass every service you've purchased? Make sure your MSP lets you leverage your investment in multiple services. You may not own the CPE, but you still want a cohesive solution that efficiently implements your security policy.
When managed security services are sold by network access providers, it is easy to overlook the obvious: are you purchasing a service that's ISP-dependent? If so, is that acceptable? Consider roaming users that require national or international access. Where are your MSP's points-of-presence? Has your MSP joined a roaming alliance like GRIC or IPass? Can your managed site-to-site VPN include international branch offices? What is the impact of doing so on cost and performance?
Drill down to uncover integration issues. What authentication methods are supported, and can they be integrated with your own user database or authentication server? What constraints are imposed on IP addressing, and will you be required to renumber? Ideally, you'd like a managed service that adapts to your business, not one that requires you to adapt to it.
Sure, the MSP will install your new CPE firewall or VPN device. But how does your MSP handle hardware and software upgrades? Is your configuration archived before update to enable rollback? What is your MSP's policy for hardware replacement and service restoration in the event of failure?
Will your MSP also supply, install, and support client software? If you can avoid client software, great. If you can't, find an MSP who provides a user-level help desk and takes steps to simplify client software deployment and configuration (e.g., PC "prep" tools, automated policy download). How are new users added to your security policy? Make sure your MSP's policy management system provides sufficient granularity, augmented by grouping to reduce churn and improve scalability.
It is critical that a managed service be sized to meet your company's performance requirements. Many MSPs offer tiered services. For example, some use different firewalls for small and midsize enterprises; others let you choose between NT or *NIX platforms. Larger enterprises should seek high availability services that employ redundant or clustered platforms, load balancing, route diversity, and fault-tolerant software. Look for MSPs with redundant NOCs, mirrored data, and diverse local and long-haul transmission facilities.
Some providers back up performance targets with service level agreements (SLAs). SLAs can identify aggregate throughput, latency, and availability characteristics, describe how these are measured, and define penalties for non-compliance. Many ISPs offer SLAs for core network performance; SLAs covering end-to-end managed security are less common. Money-back guarantees (usually in the form of service credit) may not offset lost revenue during a prolonged outage, but can signal whether your MSP actively works to meet performance expectations.
SLAs may also cover other aspects, such as response time and process for implementing security policy changes (e.g., add a new user, change filtering rules). Often, your MSP makes all policy updates. In some cases, your MSP delegates some control -- for example, letting you add users to pre-defined groups. In either case, make sure your MSP tightly controls who can make policy changes (e.g., digitally-signed work orders, strong authentication for remote policy management). Does your MSP maintain an audit trail to spot unexpected behavior or policy violations? Does your MSP use an encrypted tunnel or private link when making policy changes?
MSPs provide monthly reports that let you see how your security policy is being enforced. Ask for a sample report: does it include incident logs, port scan results, network performance and usage stats, change request history? Look for real-time monitoring and on-going security advisories that keep your staff informed so they can pro-actively refine policies and safeguard assets.
If an MSP doesn't provides 24x7x365 monitoring, find another MSP. NOC staff should be watching your managed service at all times, assessing real-time alarms, denied connections, and logged events. Make sure you understand the procedures your MSP will invoke when a security threat is detected. Identify incident response time, emergency contacts, escalation policy, and containment/recovery strategy in your service agreement. Many MSPs include some emergency response in your monthly tab: know how many hours and what type of expertise you're entitled to. Ask about specialized emergency services, purchased on an as-needed basis.
One can think of an MSP as a highly-specialized Application Service Provider (ASP). As such, you should expect an MSP to employ the same -- or better -- in-house security practices you'd expect from any ASP. Ian Poynter and Dianna Kelley offered excellent advice on this topic in their Insight column, "Ten Things To Ask Your ASP" (http://tisc.corecom.com/newsletters/29.html). Among the questions they recommend asking: Is your ASP's facility physically secure? Has the ASP's architecture and code been independently reviewed? What is the ASP's disaster recovery plan? How does the ASP safeguard your information from other customers and its own employees? Make sure that, while your MSP is guarding customer networks, it doesn't leave a NOC "back door" open to attack.
Fortune 500 companies who already outsource IT operations may look to these existing outsourcers for integrated network security services. Similarly, business-grade network service providers like Sprint and MCI/WorldCom may be the first place their subscribers will look to "add" outsourced security. But, as a Forrester Research brief suggests, companies should also consider MSPs like ISS eServices that specialize in security: "Look to suppliers that have a strong track record [and] live or die on the business." Finding the right MSP isn't simple, but knowing what questions to ask can help get you started.